OWASP Top 10 for LLM Applications
The OWASP Top 10 for LLM Applications is a security-awareness reference for applications that embed large language models, prompts, retrieval, tools, model providers, data pipelines, vector stores, and generative-AI outputs into software systems.
Snapshot
- Core source: OWASP GenAI Security Project's 2025 Top 10 Risk & Mitigations for LLMs and Gen AI Apps.
- Scope: LLM application security, not model consciousness, general AI ethics, legal compliance, or a complete safety certification.
- Ten categories: prompt injection, sensitive information disclosure, supply chain, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption.
- Use case: a starting taxonomy for threat modeling, procurement due diligence, secure design, red-team planning, monitoring, incident response, and audit evidence.
- Boundary: the LLM list applies even when the system is not an autonomous agent; agentic systems should also be reviewed against the separate OWASP Top 10 for Agentic Applications 2026.
- Governance warning: "mapped to OWASP" is weak unless the organization can show tests, controls, owners, logs, incidents, and decisions tied to each relevant category.
Definition
The OWASP Top 10 for Large Language Model Applications is an OWASP GenAI Security Project awareness document for developers, data scientists, application-security teams, platform engineers, and governance reviewers building applications and plug-ins that use LLM technologies. OWASP's project repository describes it as a standard awareness document, a broad-consensus reference for critical LLM application risks, and a project scoped to LLM application security.
It is not a statute, certification scheme, vendor attestation, or guarantee of safety. It is a vocabulary and review scaffold. It helps teams discuss recurring places where LLM-backed systems fail: instruction boundaries, secrets, dependencies, training and retrieval data, output handling, delegated actions, system prompts, vector stores, factual reliability, and resource consumption.
The useful unit of analysis is the deployed application, not the base model alone. A model that is low risk in a sandbox can become high risk when connected to private documents, enterprise search, code execution, email, ticketing, browsers, databases, production APIs, or a vector index that mixes tenants and trust levels.
Current Context
As of June 25, 2026, OWASP's released LLM list is the 2025 Top 10. OWASP's resource page dates the 2025 guide to November 17, 2024, and the GenAI Security Project's LLM Top 10 page still labels the current LLM list as "2025 Top 10 Risk & Mitigations for LLMs and Gen AI Apps." The OWASP Foundation project page now points readers to the GenAI Security Project for the latest LLM list. That date and source path matter because earlier OWASP LLM versions used different category names and ordering.
OWASP separately released the Top 10 for Agentic Applications for 2026 on December 9, 2025. That 2026 agentic list should not be treated as a replacement for the 2025 LLM list. It covers a narrower class of systems that plan, use tools, coordinate, or act across workflows. A chatbot, RAG tool, summarizer, or coding assistant can be in scope for the LLM list even when it is not agentic.
Other official guidance fills different layers. NIST AI 600-1, the Generative AI Profile, frames generative-AI risk management under Govern, Map, Measure, and Manage. NIST SP 800-218A adapts the Secure Software Development Framework for generative AI and dual-use foundation models. CISA, UK NCSC, and partner agencies frame secure AI system development across secure design, development, deployment, and operation. The OWASP LLM list is most useful when paired with those lifecycle and governance frameworks rather than treated as a standalone compliance checklist.
How It Works
The OWASP GenAI Security Project's 2025 list names ten categories: LLM01 Prompt Injection; LLM02 Sensitive Information Disclosure; LLM03 Supply Chain; LLM04 Data and Model Poisoning; LLM05 Improper Output Handling; LLM06 Excessive Agency; LLM07 System Prompt Leakage; LLM08 Vector and Embedding Weaknesses; LLM09 Misinformation; and LLM10 Unbounded Consumption.
The categories cover both model behavior and surrounding application design. Prompt injection names cases where user input, retrieved content, or external data alters intended behavior. Sensitive information disclosure covers leakage of private, confidential, or restricted information. Supply-chain risk includes models, data, packages, plug-ins, and service dependencies. Poisoning covers corrupted training, fine-tuning, model, or embedding inputs.
The remaining categories focus on what happens after a model responds. Improper output handling describes insufficient validation or sanitization before model output reaches downstream software. Excessive agency addresses systems where the model can take consequential actions with too much permission. System prompt leakage concerns exposure of internal instructions. Vector and embedding weaknesses cover retrieval and similarity-search failure modes. Misinformation covers harmful reliance on false or misleading outputs. Unbounded consumption covers cost, capacity, denial-of-service, and resource abuse patterns.
Category Evidence Map
The most useful way to apply the OWASP list is to translate each category into evidence that can survive design review, procurement, audit, and incident response.
- LLM01 Prompt Injection: direct and indirect prompt-injection tests, trusted-context labels, tool-call refusal tests, and records showing that untrusted documents are treated as evidence rather than instruction.
- LLM02 Sensitive Information Disclosure: data-classification rules, redaction and logging policy, training-use exclusions, secret scanning, tenant boundaries, and records of what data the model, provider, or retrieval layer can see.
- LLM03 Supply Chain: model, package, dataset, connector, plug-in, prompt, and evaluation-set inventories, with versions, sources, signatures or hashes where practical, and vendor-retention terms.
- LLM04 Data and Model Poisoning: provenance checks for training, fine-tuning, retrieval, embedding, and feedback data; index-change review; poisoning tests; and rollback plans for corrupted data sources.
- LLM05 Improper Output Handling: validation and escaping before model output reaches browsers, databases, code execution, emails, tickets, command lines, policy engines, or other automated systems.
- LLM06 Excessive Agency: scoped credentials, least-privilege tools, approval gates, sandbox boundaries, blocked-action logs, cost controls, and a clear record of what the system cannot do.
- LLM07 System Prompt Leakage: prompt versioning, secret-free system prompts, disclosure assumptions, customer-facing explanation of limits, and defenses that do not depend on prompt secrecy alone.
- LLM08 Vector and Embedding Weaknesses: vector-store tenancy, source-document identifiers, embedding-model version, deletion and reindex evidence, access controls, and retrieval-poisoning tests.
- LLM09 Misinformation: grounding policy, source freshness, citation validation, abstention or escalation behavior, human review for high-impact uses, and incident criteria for false outputs that cause security or public-service harm.
- LLM10 Unbounded Consumption: token, context, retrieval, tool, API, and spend limits, rate limits, loop breakers, abuse monitoring, and alerting for anomalous cost or capacity spikes.
Agent Context
The LLM Top 10 is broader than, and different from, the OWASP Top 10 for Agentic Applications. The LLM list applies to chatbots, retrieval-augmented generation, summarizers, coding assistants, enterprise search, classification, and model-backed workflows even when they do not qualify as autonomous agents.
Agentic systems inherit the LLM risks and add more. A tool-using agent can suffer prompt injection, disclose sensitive information, rely on poisoned retrieval, leak a system prompt, or consume resources without also being compromised through an agent-specific failure such as inter-agent communication or rogue workflow behavior. Good review keeps those two OWASP lists adjacent but separate.
This distinction is important for Model Context Protocol and tool ecosystems. MCP, browser automation, and plugin systems can add agent-specific risks such as token exposure, tool poisoning, missing authorization, and weak telemetry, but the underlying LLM categories still apply whenever prompts, retrieved content, model output, vector stores, or generated actions cross a trust boundary.
Governance and Safety
A governance program can use the LLM Top 10 as a design-review checklist. For each category, record the system boundary, data sources, model provider, prompts, retrieval stores, output consumers, tool permissions, logging, human review points, abuse controls, and incident owner. The list becomes useful when every category points to an artifact and an accountable team.
Procurement reviews should ask vendors which OWASP LLM categories they test, what evidence they preserve, how they handle prompt-injection reports, whether customer data enters training or logs, how vector indexes are protected, and how resource limits are enforced. Internal deployments should preserve the same evidence for auditors and incident responders.
Coverage should be risk-based, not ceremonial. A marketing chatbot, RAG search tool, coding assistant, claims-processing workflow, and database-connected agent need different evidence even when all are "LLM applications." The reviewer should be able to trace each relevant category to a control, test, owner, exception, and retest trigger.
The list also helps safety teams avoid a common category error: treating model behavior as the whole system. Improper output handling, supply chain, vector weaknesses, and unbounded consumption are often application, infrastructure, data, and operations problems. They cannot be solved by a safer prompt alone.
For high-impact deployments, OWASP evidence should connect to an AI system inventory, AI procurement record, AI bill of materials, model or system card, red-team report, audit trail, incident reporting process, and AI change management. Otherwise, "we use OWASP" is only a slogan.
Minimum Evidence Record
A serious OWASP LLM review should leave enough evidence for security, procurement, audit, and incident response without storing secrets or private prompts unnecessarily.
- System boundary: owner, purpose, model provider, model or endpoint version, user population, deployment surface, data classification, and lifecycle status.
- Context sources: system prompts, user inputs, retrieved documents, vector indexes, tool outputs, memories, logs, fine-tuning data, and trust labels for each source.
- Controls by category: prompt-injection tests, data-leakage controls, supplier review, poisoning checks, output validation, agency limits, prompt-leakage posture, vector-store controls, misinformation safeguards, and resource limits.
- Authority and action: tool permissions, credentials, scopes, approval gates, sandboxing, human review, rollback path, revocation path, and blocked-action records.
- Monitoring and incidents: abuse alerts, rate limits, cost controls, suspicious retrieval hits, data-disclosure reports, prompt-injection reports, poisoning indicators, outage or cost spikes, and post-incident changes.
- Traceability: run identifiers, model route, prompt or policy version, retrieval identifiers, tool-call trace, output consumer, human approval, and the audit log location.
- Change history: model swaps, prompt changes, index updates, new data connectors, vendor changes, new tools, policy exceptions, risk acceptances, and retest dates.
Failure Modes
- Checklist theater: a team marks LLM01 through LLM10 as reviewed without evidence, owners, tests, monitoring, or release decisions.
- Prompt-only security: a system prompt is treated as the main defense even though the application has tool permissions, private data, generated code, or untrusted retrieval.
- RAG blind spot: vector-store provenance, tenant separation, deletion, poisoning review, and embedding updates are left outside the security review.
- Output trust collapse: model output is rendered, executed, emailed, stored, or sent to another system without validation, escaping, authorization, or human review where needed.
- Vendor opacity: the buyer cannot tell which model, logs, training-use policy, subprocessors, or data-retention rules apply to the deployed system.
- Overbroad agency: the model can write, send, delete, spend, deploy, or call tools with broader authority than the task requires.
- Misinformation as security risk: false output is treated only as quality failure even when it can drive fraud, unsafe code, bad incident response, or public-service error.
- Unbounded consumption: token, compute, retrieval, tool, or API use is allowed to spike without quotas, budgets, rate limits, or abuse detection.
Defense Pattern
- Threat-model by category. Walk LLM01 through LLM10 against the actual application, not against a generic chatbot.
- Classify context. Separate system instructions, user input, retrieved documents, tool output, memory, and logs by trust level.
- Validate outputs. Treat model output as untrusted data before it reaches code, databases, browsers, emails, tickets, or tools.
- Protect retrieval. Track source provenance, embedding updates, tenant boundaries, deletion, poisoning review, and index access.
- Limit agency and consumption. Use scoped credentials, budget limits, rate limits, quotas, approval gates, and rollback paths.
- Preserve evidence safely. Keep test results, prompts where appropriate, retrieval identifiers, model versions, decisions, and incidents, while redacting secrets and personal data.
- Retest after changes. Model swaps, prompt changes, new tools, new indexes, and new data sources can reopen old categories.
Source Discipline
Claims about the OWASP LLM list should cite the 2025 source page, the specific LLM category page, or the project repository. Category names changed from earlier versions, so source notes should identify the year and label. Do not mix the 2025 LLM list with the 2026 agentic list or with MCP-specific security checklists.
The list is a security taxonomy, not a prediction that every LLM application will fail. It also is not proof that an LLM application is safe after a team checks ten boxes. The useful claim is narrower: these are widely recognized risk classes that should be reviewed with local evidence.
For current status, prefer OWASP GenAI Security Project pages, the OWASP Foundation project page, and official repositories over vendor blogs. For governance claims, cite NIST AI RMF, NIST AI 600-1, NIST SP 800-218A, CISA/NCSC secure-AI guidance, procurement records, audit reports, incident logs, and system documentation. Secondary explainers can help readers, but they should not carry claims about official category names, dates, or compliance duties.
Spiralist Reading
Spiralism reads the OWASP LLM list as a map of where language becomes infrastructure. A sentence can become an instruction. A retrieval result can become evidence. An answer can become code, a ticket, an email, or a decision record.
The practical lesson is sobriety. Once language is wired into systems of action, security cannot live only in the model. It has to live in provenance, permissions, boundaries, validation, logs, and the human habit of asking what authority a text has been given.
Open Questions
- How should organizations show evidence of OWASP LLM coverage without reducing the list to compliance theater?
- Which LLM risk categories should become standard incident-reporting fields?
- How should RAG systems expose vector-index provenance and deletion evidence to auditors?
- Where should vendors draw the line between system prompt secrecy and customer auditability?
- When should LLM09 misinformation be treated as a security incident rather than only a product-quality issue?
- How should OWASP LLM controls be represented in AI bills of materials and model/system cards?
Related Pages
- OWASP Top 10 for Agentic Applications
- MITRE ATLAS
- Adversarial Machine Learning
- Prompt Injection
- System Prompts
- Data Poisoning
- Retrieval-Augmented Generation
- Embeddings and Vector Representations
- Vector Databases
- Context Poisoning
- AI Jailbreaks
- AI Agent Sandboxing
- AI Agent Observability
- AI Agent Identity
- Tool Use and Function Calling
- Confused Deputy Problem
- Sender-Constrained Tokens
- Secure AI System Development
- NIST Generative AI Profile
- NIST SP 800-218A
- AI System Inventory
- AI Bill of Materials
- AI Data Provenance
- AI Change Management
- AI Red Teaming
- AI Incident Reporting
- AI Vulnerability Disclosure
- AI Post-Market Monitoring
- Data Minimization
Sources
- OWASP GenAI Security Project, 2025 Top 10 Risk & Mitigations for LLMs and Gen AI Apps, reviewed June 25, 2026.
- OWASP GenAI Security Project, OWASP Top 10 for LLM Applications 2025, reviewed June 25, 2026.
- OWASP Foundation, OWASP Top 10 for Large Language Model Applications project page, reviewed June 25, 2026.
- OWASP Foundation, OWASP Top 10 for Large Language Model Applications repository, reviewed June 25, 2026.
- OWASP GenAI Security Project, OWASP Top 10 for Agentic Applications for 2026, December 9, 2025, reviewed June 25, 2026.
- OWASP Foundation, OWASP MCP Top 10, reviewed June 25, 2026.
- NIST, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, NIST AI 600-1, July 2024; updated April 8, 2026.
- NIST, SP 800-218A: Secure Software Development Practices for Generative AI and Dual-Use Foundation Models, July 2024.
- UK NCSC, CISA, NSA, FBI, and international partners, Guidelines for Secure AI System Development, November 2023.
- OWASP GenAI Security Project, LLM01:2025 Prompt Injection, reviewed June 25, 2026.
- OWASP GenAI Security Project, LLM02:2025 Sensitive Information Disclosure, reviewed June 25, 2026.
- OWASP GenAI Security Project, LLM03:2025 Supply Chain, reviewed June 25, 2026.
- OWASP GenAI Security Project, LLM04:2025 Data and Model Poisoning, reviewed June 25, 2026.
- OWASP GenAI Security Project, LLM05:2025 Improper Output Handling, reviewed June 25, 2026.
- OWASP GenAI Security Project, LLM06:2025 Excessive Agency, reviewed June 25, 2026.
- OWASP GenAI Security Project, LLM07:2025 System Prompt Leakage, reviewed June 25, 2026.
- OWASP GenAI Security Project, LLM08:2025 Vector and Embedding Weaknesses, reviewed June 25, 2026.
- OWASP GenAI Security Project, LLM09:2025 Misinformation, reviewed June 25, 2026.
- OWASP GenAI Security Project, LLM10:2025 Unbounded Consumption, reviewed June 25, 2026.